Puppet is relatively well known in the system administrators' community. TheForeman is a much more recent project which deserves to be known. Used together, these two programs make a powerful tool to deploy and manage a datacenter.

The goals of this infrastructure are:

To use an Puppet External Nodes: this feature allows to bind a set of Puppet's modules to a node (server) through a WebUI. This feature permits Puppet management by people without high expertise.

The creation of reports from Puppet's execution on every node managed by Foreman.

To have a datacenter overview of puppet execution.

And last but not least: to enable the dynamic management services DHCP, TFTP and DNS deploying new machines through PXE installation!

Installing Puppet

The first step is to set up a Puppetmaster server. We use Debian 6 (Squeeze) for the system. For maintainability reasons, we use the distribution's packages as much as possible. We install the following packages on the Puppetmaster server:

When installing tftpd-hpa, debconf asks to choose the TFTP server's root directory. We use the legacy /tftpboot directory; feel free to choose an other one!

Foreman's debconf installation proposes to configure a database for you, choose "No". Instead, we choose to use Puppet's database used for configstore. We configure the /etc/foreman/database.yml that way:

We need to enable this new VirtualHost and define the system user used by passenger to run the application (nobody/nogroup by default in Debian). In order to do that, we must change the owner of the file /usr/share/foreman/config/environment.rb:

At this point, we should have access to Foreman's WUI by pointing your browser at your VirtualHost.

Adding a Smart Proxy

Foreman is able to manage multiple subnets, DNS zones, Puppetmasters from a single instance: it uses Smart Proxy mechanism. The communication between Foreman and Smart Proxy is based on a REST API.

First of all, we start foreman-proxy's service. This one runs with Webrick for now.

service foreman-proxy start

To check that your service has started well, just point your browser at http://foreman-proxy.virtualhost:8443/features. You should see a page listing the features enabled on your Smart Proxy. If this page is not available please check your firewall rules.

We can now add a Smart Proxy in Foreman. To do this, use Foreman's interface: in the dropdown menu select "Smart Proxies", "New Proxy", and enter its name and the URL with port. Then click on "Submit".

If everything goes well, you should see all the features supported by your Smart Proxy.

TFTP server configuration

To configure your TFTP server, we must have a pxelinux.0 and the files for a Debian netboot (initrd and vmlinuz). These files are available from a Debian repository (download here).

When using TFTP management, the idea is that all your servers always boot on PXE. If they don't have to be reinstalled, the TFTP server should send a "localboot" order, otherwise the server proceeds with installation. So we need to create a default boot that will make your server boot on local harddrive if you do not ask explicitly Foreman to rebuild it.

To do this we will use the Foreman templating.

Go to the Web interface, in Provisioning Templates: a template named "PXE Default File" should be present

Click on "Build PXE Default button", and Foreman will create a default file in /tftpboot/pxelinux.cfg/default

Bind configuration

We now proceed with the DNS server configuration. We use the Bind9 DNS server. Foreman uses nsupdate tool to dynamically update defined zones.

This tool requires a public/private key to authenticate users. We have to generate a key pair that will be used by Foreman. These keys will be generated via the commands:

dnssec-keygen -a HMAC-MD5 -b 512 -n USER foreman.mycompany.com

We store these keys in /etc/bind and rename them to foreman.key and foreman.private.

We must fix permission to 400 and user foreman-proxy:foreman-proxy.

Then we should indicate to Bind9 that Foreman is allowed to manage the domain and the reverse DNS. This is defined in the zone declaration. We should add allow-update directive. The result looks like this:

Add a subnet management

Enter a name, the associated domain, the network informations and the Smart Proxy server that you want to associate with this subnet

And save

Be careful, in 0.3 release, there is a bug in Foreman: the Smart Proxy doesn't take into account the IP range defined in the subnet and will always propose you the first IP available (ie. not responding to ping and not reserved in dhcpd.leases).

Conclusion

That's it, you've finished setting the overall management of the four major bricks that Foreman will be able to handle for you. We saw that Foreman is already really powerful, but you can go even further with its full REST API, libvirt integration and so on.

We would like to thank Foreman great development team for their amazing work and their help.

If you want to share with the community do not hesitate to connect on IRC on Freenode, channel #theforeman.

Comments

You can follow this conversation by subscribing to the comment feed for this post.

Hello,
I think the best way to solve your problem is to ask directly to the user community in sending email with your complete log information to foreman-users@googlegroups.com or on IRC #theforeman (irc.freenode.net)

In the TFTP configuration section you says:
To do this we will use the Foreman templating.

Go to the Web interface, in Provisioning Templates: a template named "PXE Default File" should be present
Click on "Build PXE Default button", and Foreman will create a default file in /tftpboot/pxelinux.cfg/default
The TFTP server is now up and running

If you do that directly, you will get an error mentioned before :
No TFTP proxies defined, can't continue

To fix that you should do before :
- Create a domain where you would like to deploy your host on
- Create a subnet, and select the relevant domain and smart proxy in it.
- Create a host, select the domain / subnet etc